SCIENCE AND ENGINEERING NEWS
Robert Lemos reported for ZDNet News: The major outages that hit Microsoft last week could become more commonplace because of four flaws found in the software used to identify servers around the Internet, security experts said Monday. “These issues could allow attackers to completely compromise a server and use that server to attack others,” said Jim Magdych, security research manager for PGP Security. “In addition, they could be exploited to attack a company through a denial of service similar to what we saw at Microsoft last week.”
Over the last month, researchers from the company have discovered four separate vulnerabilities in key software widely used to locate Internet servers within specific domains. Known as the Berkeley Internet Name Domain, or BIND, service, the DNS (domain name service) software is used by most companies to identify the domain to which each of their Internet servers belong.
For example, a surfer who would like to go to PGP Security’s Web site would type “www.pgp.com,” but if the company’s DNS servers were not available, the surfer’s browser wouldn’t know where to send the request.
PGP Security teamed with the Computer Emergency Response Team Coordination Center at Carnegie Mellon University to announce the vulnerabilities on Monday.
The vulnerabilities are mostly so-called buffer overflows, which allow a specially formatted command to cause a computer to crash or execute arbitrary code. The flaws affect BIND versions 4 and 8, but have been corrected in versions 4.9.8, 8.2.3 and 9.1. The danger to companies is illustrated by Microsoft’s (Nasdaq: MSFT) recentWeb nightmare.
“Every organization connected to the Internet relies on DNS to direct their users to their servers,” said Jeff Carpenter, manager of the CERT Coordination Center. “If control is gained, intruders could redirect requests to another site.”
Last week, Microsoft’s major Web sites suffered outages over four days, several of them due to DNS problems. During the first outage, which lasted nearly 24 hours from late Tuesday toWednesday evening, the giant’s Microsoft.com, MSN.com, Hotmail.com,Expedia.com, Encarta.com, and Carpoint.com Web sites were unavailablebecause a technical glitch cut off the company’s DNS servers from theInternet. Most Web surfers typing any address on those servers could not get through.
PGP Security’s Magdych said companies reliant on several thousand flawed DNS servers could be facing the same scenario. “The vast majority of DNS servers out there on the Internet are running BIND and are vulnerable to these issues,” he said.
While programs and attack tools that take advantage of the flaws are not yet on the Internet, experts recommend that companies that must use DNS upgrade their servers to a version of BIND that is not vulnerable.
“Version 9 is not susceptible to the same issues found in earlier versions of the BIND DNS software,” David Conrad, chief technology officer of DNS software and services firm Nominum, said in a statement. “We strongly encourage all users of BIND to upgrade to BIND version 9 or later.”
Many servers that don’t need to run BIND may still be vulnerable because the administrator never turned the software off, he said. Leaving such services turned on and not applying the patches is a major problem with Internet security today, many experts have said.
Other vulnerabilities are threatening the Internet’s critical domain name service. More than 38 percent of .com domain names use DNS servers that rely on a single network bottleneck, thus making them vulnerable to the same sorts of attacks that hit Microsoft last week, said Sjofn Agustsdottir, director of surveys for Men and Mice, a DNS consultancy.
“It is clear that a stunning number of companies have serious DNS configuration problems which can lead to failure at any time,” she said.